CISA: Here’s how you can foil DDoS attacks

In light of the rise of “DDoS hacktivism” and the recent DDoS attacks aimed at disrupting French and Alabama government websites, the Cybersecurity and Infrastructure Security Agency (CISA) has updated its guidance of how governmental entities (but also other organizations) should respond to this type of attacks.

DDoS attacks explained

First and foremost, the document explains the main difference between a DoS attack (from a single source) and a DDoS attack (from multiple sources).

“The main advantage of a DDoS attack over a DoS attack is the ability to generate a significantly higher volume of traffic, overwhelming the target system’s resources to a greater extent,” the agency says. Needless to say, this makes DDoS attacks a bigger problem.

DDoS attacks can be categorized based on the techniques used. There are:

• Volume-based attacks, which involve directing a massive volume of traffic towards the target with the aim to exhaust bandwidth or system resources
• Protocol-based attacks, which exploit vulnerabilities in network protocols or services with the aim to degrade the target’s performance or cause it to malfunction
• Application layer-based attacks (aka “Layer 7”), which target vulnerabilities in applications or services running on the target system.

Though, the agency notes, the different techniques can be – and are often – combined.

Recognize and fight DDoS attacks

CISA has spelled out various indicators that an organization might be the target of a DDoS attack.

Symptoms of a DDoS Attack (Source: CISA)

But, the agency argues, organizations should assess the risk of being DDoS before getting targeted, implement appropriate security measures, and have a incident response (IR) plan in place.

They should, among other things:

• Regularly analyze their network traffic to be aware of normal traffic patterns so they can recognize abnormal ones
• Protect websites against automated attacks by implementing a CAPTCHA challenge
• Use firewalls to filter out suspicious traffic patterns and perhaps implement traffic rate limitations
• Consider using solutions to distribute the traffic load, and implement redundant network infrastructure

Recognize the signs of a DDoS attack and use network monitoring tools and traffic analysis to confirm it, the agency says, then activate your IR plan and start gathering information related to the attack (timestamps, IP addresses, packet captures, logs, etc.).

Your ISP may able to help you mitigate the attack by implementing traffic restrictions and port and packet size filtering, a content delivery network (CDN) service may help you by absorbing and distributing traffic, and DDoS mitigation providers can help you filter and divert malicious traffic.

“After the situation is resolved, conduct a thorough post-incident analysis to understand the attack vectors, vulnerabilities exposed, and lessons learned. Update your incident response plan and security measures accordingly to prevent future attacks,” CISA advised, and pointed out that “new attack methods and variations constantly emerge as malicious actors adapt and evolve their tactics, techniques, and procedures (TTPs).”